Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
who? Everybody. And welcome to the exact number 19 off the icy speakers. SQL injection.
00:08
My name is Sandra Gina and I'll be instructor for today's session.
00:12
The learning objectivity of this session is to understand the concepts behind the SQL injection attack and apply the techniques to implement this thing this attack.
00:23
So let's get down to business. Shall we
00:27
let me first give you some background about about this attack? You know, an SQL injection attack? Insist off. You know, actually, in certain or injecting es que es que ele quer ese
00:41
beyond any input in the client application or deserve real application itself. Ah, successful SQL injection exploits can read data. You know, sensitive data from the database modified the database or even execute operations on the database.
01:00
You can't even get to the point to actually execute commands on the upper the system. The database is running Well, see? Died later in this video, we also have you know, this attack You know the plane SQL injection, attack
01:18
infers or suppose that you already know the database. I mean, you know that the
01:23
maybe that the table name or did that of his name or you know
01:29
any name Mary Debut Ning. But you know, most of the time this is not true. Most of the time
01:36
you end up Ah,
01:38
trying to guess what it's behind is that of a So, uh, there's another attack which is blind SQL injection. And this is basically asking the database true or false questions to see the answer. And, you know, maybe
01:56
in for some information from that from from the answer we get back from the database
02:01
this attack is often used when the way application is configured to show generic error messages. Because in some applications, when you actually trying to see if if the application is actually vulnerable to SQL.
02:19
If the error module was not properly created or, you know, properly handled,
02:24
you can actually see some information about the database. For example, saying the data vase with name love a lot doesn't exist or the table name you're trying to access is I don't know, whatever these error messages can actually give you. Some,
02:43
you know, indicators about that of its information, but another in other cases, this is not true. In other cases, did you see Jerry ever messages saying that
02:53
e I know that this could not be access it or, you know, just the work ever, and that's it. So when an attacker exploited the SQL injections, sometimes the way application displays
03:05
these are generic errors, said you have you just have to go to, you know, asking true or false questions to see if
03:13
you know you get information or to see how many tables there are or how many feels are included in a specific table. Or, you know, that's that's point, um,
03:23
you know, other than that blind SQL injection and you know, playing or normal SQL injections are nearly the same again. The only difference is that how did that have the data retrieved from database again playing SQL injection? You just
03:43
no. How did the table name or did that of his name? Or,
03:46
you know, do you have information about the database but mean blind skill injections? You go and ask true or false questions, see what's replied, or to see what's the behavior. And, you know, trying thio
04:00
get as much information as possible with these questions. But that's it.
04:06
That's the only I mean, that's the main difference between these two types of attacks. But in general, the point is, you're will be
04:15
basically stopping the query or the normal functionality of the query. Maybe the worry was just to ah
04:23
get ah ah, Logan or get some information from the table. So just could cut that maybe in the middle and performed your own query or change the behavior of the query itself.
04:33
Okay, so, uh,
04:36
will be I will be showing you how to do that. Remember that in the previous video we saw SQL injecting. I'm sorry. Cross site scripting. Ah, what we have Or Windows here. Which again, if you go to the welcome page, it launched the message Precise script in and it downloads that them
04:56
the executed will file.
04:58
Remember that, Um, but we'll be using that for for for for this
05:05
exercise, eh? So we don't have any any way we can ill again, remember? Because we didn't have,
05:12
um, let me just Oppen it here in our local web browser.
05:16
We didn't have, um,
05:19
the cookie, but became, you know, actually Ah, Le Guin Here in applied, you know, a different cookie. Ah, and actually
05:30
go to the Logan weapon. It shall way.
05:34
Let me just I would just tied the buzzword to discuss. Well, Ray, now, arguments just give you this example and guess you forgot about it
05:45
now, biggie. Because we already have the query executed. I'm sorry. The Christian scripting executing, and it's it's already sending us cookies back to us. So we just need to wait for a cookie to send to go back to us.
06:00
If you there remember, I, you know,
06:04
encouraged you to go back to the cross. I scripting
06:09
BDO and see how well we actually
06:12
got to this point. I mean, how can we actually retrieve Ah, cookie. Ah, Bali. Kiki from from the server and actually bypass this look in
06:24
a web page that we have right now.
06:27
Let me see. I I I I have a cookie. Okay, we got a cookie right now, so we just go here
06:33
and we just get your cookie manager for the current page. We're D days
06:40
and we
06:41
cuppa tea. Bali. Kiki, we close this out and
06:46
Oh,
06:47
okay. Yeah, I know that.
06:50
Go home. We go to London and we're already in. So, uh, here we have, you know, our normal regulation to the weapons and we have delete Ended it. But you guys go to a dit. I can see this. And I can see there's
07:06
the weapon. A I mean, the u R l has
07:11
input variable here so I can just to see fact something's actually vulnerable to Chris. I scripting attack.
07:18
You can just tie palm.
07:24
And there you go.
07:27
You can see some information and you can actually see Let me just stop this. It's not fair with server anymore
07:35
s Oh, yeah, you can see that actually, putting this, which will cut their common the common behavior of the quarry it actually show us on exception so we can be is interested in the exception. I mean, maybe cities, Or maybe I know that
07:54
this is the page or whatever.
07:57
We can actually see that way. We can also know that from this point forward,
08:03
this is actually vulnerable to escalate injection. So we already found on SQL injection. Um,
08:11
Thio, you know,
08:15
actually, get that.
08:16
So, uh,
08:18
for example I know Need thio I timeline. I know we're acquiring a table here, obviously. Ah, but I need to know how many columns are in the table being used you know about this query. So I just go and put that like something like this,
08:35
um, order by one and then ignored the rest of the query.
08:41
And I didn't get any mess and any ever message. So I go, you know, incremental my one to see how many. Um,
08:50
Okay. Now, remember, ever message so far to see how many fields are in this table, so
08:58
Oh, Okay. Um, warning, you know, a message. So therefore feels or four registries in this unstable. So now that I know that I can use, like, I don't know, maybe some unis elect to get info on each field. For example, I can yes.
09:18
Let this
09:18
and gets put something like union. Oh, sorry.
09:22
In select
09:24
one going to come a tree come before
09:30
and he didn't fail. So I know need to know which feel uses, you know,
09:37
is displaying this message, Miss what would feel it is played in the title bucks and which feel is play in attacks box. So for di, I can use comments like Burson, for example like Kingo here version instead of feel one.
09:54
Nothing changed. So obviously feel number one is not being used for that.
10:01
A version.
10:05
Okay, nothing changed here.
10:07
So I can, you know, just
10:11
that means
10:13
changed peace again.
10:18
And but here feel number. Tree
10:22
version.
10:26
Oh, nothing's changing. Let me just try it with you, sir.
10:33
Nothing's actually changing unless I'm missing something.
10:37
Oh, it's not changing. You guys. Sorry about that. It's not changing because I'm already using a table that actually contains information. So if I go here and put number tree just, you know, we're all ready now that this is not something that I'm just cutting. Cut these in here
10:56
and just to save it. Number 10
11:00
number one. He goes to this to the welcome. Number two goes to the test
11:05
and number. Tree obviously will not got to nothing at the end. It doesn't contain any feel.
11:11
So if I go here,
11:13
Okay. There you go. Feels number. Field number two. And you, sir, just root at local host.
11:20
And you can
11:22
but brushing here.
11:24
Okay. The version of the database and the user that is being used to execute the database. Instance. So yeah, we can retrieve information.
11:35
You can even use something light load file
11:37
in the use of things at the end. The user feel hats has more space, so we can just use something like
11:45
Oh, sorry.
11:46
Like the instruction load
11:50
file.
11:52
And they just just ah,
11:54
for example, for the password.
11:58
Hope that's how did you write it?
12:01
01 exception. What happened?
12:05
Oh, I didn't. But I'm sorry about that. You guys
12:13
and you, you can actually get the information from the operating system so you can see how harmful this could. Because at the end, he can dump maybe a buzzword file. Or maybe if the permissions are not properly established, you can actually dump sshh keys or, you know, certificates or whatever.
12:33
Uh, you can actually perform a lot of malicious stuff. You can. You basically have,
12:37
um, some, like, skinning the cat command or something like that in the operating system through me be Ah, an SQL injection. You guys. I mean, I'm not
12:48
ah saying any reversal here, but you can actually do that.
12:52
So, uh,
12:54
now that we know that we actually did this manually, we can actually use tools for that. Ah, what was the cookie? Okay, this is just this one.
13:05
Doesn't matter
13:07
at the end is about the cookie. We'll use this cookie and just
13:11
copy
13:13
to actually ah,
13:15
use the SQL map too.
13:18
So then you just got the basic man and explaining to you
13:22
we just made a mind This
13:24
so excuse, Ma. I'm telling the u R l to go to which at the end is you know,
13:31
these your l
13:33
uh, nothing here to actually show
13:37
you go to this euro. That's what I'm telling right now in the euro section because I already know this is worthy. SQL injection was happening. So
13:48
and then we tell. Okay, use the cookie because there will be Allah again if I If I don't tell that let me just, um,
13:58
execute this. And, you know,
14:01
it gave me some information and told me that actually available is actually, um,
14:07
vulnerable to this, you know?
14:13
And it's telling me some information, you know,
14:16
that I will be interested in and like, the SQL. My sq I know is my sq I'm some other generic information about this. Uh,
14:28
but what will happen if I raise the cookie? It We will tell me that that look in I mean, it's asking for logging or something like that.
14:37
uh, okay. Reject to fill a game. Paige, do you want to follow? If I tell him? Yes.
14:43
No.
14:43
Well, I said already have Bali cookie, but, you know, that's the point. We're just passing the cookie as we do, but, you know, whatever. Think. And we actually perform here, we can actually say dump.
14:58
And you will dump the information of database.
15:01
Okay.
15:03
You know, and we'll see more information. And that's the thing. I ve wants to stored ashes to a temporary file for eventually for your persistent the tools. Now, I don't want to. Do you want to crack them be a dictionary? Base attacks? That's amazing. Yeah, I wonder.
15:20
Okay, so it cracked some passwords and some, you know, documents.
15:28
And that's the point. I mean, um,
15:31
cookies like this. You can actually get some information
15:35
from from that with a single command you can actually get. This depends. Um,
15:43
always dash shell. This depends on the permissions. You, uh, the database is running on the operator systems. Some, uh,
15:52
database I running with road permissions or administrator permissions. So you can easily get a shell because you will. At the end, you will You will be uploaded. And remember that we saw a Ph. B. River Shal. You will be allowed in a PHP to to the directory that I was running to.
16:12
So if that doesn't have permission to write tonight
16:15
toe that directory or to create service's most likely you will not get a Rochelle or oh, is shell. But, you know, we can try.
16:26
I know his speech piece. I just out with number four in here.
16:30
And yeah, it looks like the file was not has not been written. Usually occurs for the death of this process. Has no right privileges of permissions on the destination, but yeah, that's kind of expected, but you can see that s fuel injection. It's a real thing. And we can You can actually, uh,
16:49
you know, see how are harmful. This could be. And you can dump passwords. You conduct the database itself. Geeking, Actually, you know, thinking for the other things that we are really watching. What? We ride to the previews, um,
17:04
s previous video, But But you get the point. You can get Basel words you can get. Okay, We'll have here, for example. I mean password. Ah, and we already know spas work, so let's just try it out.
17:19
Um,
17:21
if I look out from here, I go to admin, and I just put at men
17:26
and
17:27
the carpet's bottler, India.
17:30
I already have that buzz word. So
17:33
as you can see, this could be really harmful to to anyone actually being victims of this attack.
17:44
Post assistant questions. What is the difference between SQL injection and Blind SQL injection? Or they're almost the same, but with blind school injections? You will be asking true or false questions to the server to see what's the behavior in, you know, inferring information from that answer. But that's it.
18:03
And we actually gained remote control to this attack. Yeah, we can actually can if that there's a Miss configuration allowing the database to write files to specific location or two. Uh uh, have root or administrator privileges. You can definitely get a reverse shell from from that
18:21
from using, for example, at the SQL map tool or any other tools.
18:26
Perform this SQL injection attacks
18:30
in this video will learn the concepts behind the SQL injection attack and we implemented something makes to execute this attack, and we also saw how maliciously set that can be
18:42
supplements materials again, wth this entire module. There's no other way to go, huh?
18:48
Another, You know, with all their supplements, materials, other that the hacker playbook. I think this is an amazing book. You should definitely rated it will contain this and more information. I mean about other attacks. And, you know, again every possible source you confined in Google and YouTube there's there's no
19:08
grown or good way to go here, you guys,
19:11
and looking forward in the next video, we'll cover. Ah, local filing, collusion and remote flight file inclusion.
19:19
Well, that's it for today, folks, I hope in your video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor